Simplify OAS schema for GET /api/spaces/space query params#260831
Simplify OAS schema for GET /api/spaces/space query params#260831TinaHeiligers merged 12 commits intoelastic:mainfrom
/api/spaces/space query params#260831Conversation
…clude_authorized_purposes
TinaHeiligers
added
release_note:skip
| ), | ||
| }, | ||
| { | ||
| validate: (value) => { |
There was a problem hiding this comment.
preserves runtime validation
TinaHeiligers
left a comment
TinaHeiligers
left a comment
There was a problem hiding this comment.
self review
|
Pinging @elastic/kibana-security (Team:Security) |
elastic-vault-github-plugin-prod
Bot
requested a review
from a team
as a code owner
…schema simplification
TinaHeiligers
changed the title
TinaHeiligers
changed the title
/api/spaces/space query params
…al/get_all.ts Co-authored-by: Florent LB <florent.leborgne@elastic.co>
|
@elasticmachine merge upstream |
| meta: { | ||
| description: | ||
| 'Specifies which authorization checks are applied to the API call. The default value is `any`.', | ||
| 'When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter.', |
There was a problem hiding this comment.
optional nit: Maybe it's just me but "Without the security plugin" sounds a bit ambiguous comparing to the "If the security plugin is not enabled" we had before.
There was a problem hiding this comment.
The description comes directly from what it was before, I didn't add it. Once this PR lands, we can change it to whatever you like
There was a problem hiding this comment.
Am I misreading this?
before:
When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the
purposeparameter.
after:
When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the
purposeparameter.
There was a problem hiding this comment.
nope, you're absolutely correct.
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💔 Build Failed
Failed CI StepsMetrics [docs]
History
|
|
@elasticmachine merge upstream |
* commit '11ed3645c5ededae2a6e29f2a79b31f52208b441': (157 commits) remove sync register uiAction methods (elastic#254590) [performance] Apply minimal auth to the search route (elastic#257497) [ES|QL] Reports correctly the controls server side errors (elastic#263020) [SecuritySolution][Navigation] Enable classic nav updates (elastic#262358) [Inference] Use pretty name and logo on feature settings page (elastic#262531) [Security Solution] fix AT-AB cypress test (elastic#262991) [SigEvents] Seed sigevents env script (elastic#261172) Adjust conditions for validating no refetch for expanded row (elastic#262978) [Agent Builder] update copy for the announcement modal (elastic#263034) [Search] Hide index management links for users without privileges (elastic#262627) Simplify OAS schema for GET `/api/spaces/space` query params (elastic#260831) Fix fleet output OAS regressions: SSL type explosion and Kafka union wrappers (elastic#260842) [Dashboards in chat] fix agent confusing the axes in a horizontal chat (elastic#263064) [One Workflow] Add alert state checkbox UI for workflow connector (elastic#259770) [One Workflow] Deprecate legacy Cases step types in workflow authoring (elastic#262070) skip failing test suite (elastic#248090) fix flaky test: MonitorDetails filter apply button not enabled (elastic#260788) fix: propagate AbortSignal to executeAsReasoningAgent for task cancellation (elastic#262811) [Security Solution][Alert KPI] Fix white space bug in alert KPIs (elastic#260803) [Streams] Move helpers and format_size_unit to utils folder (elastic#262550) ... # Conflicts: # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/dashboard_canvas_content.test.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/dashboard_canvas_content.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/use_register_canvas_action_buttons.ts # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/index.test.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/index.tsx
6 participants
Summary
The
GET /api/spaces/spaceinclude_authorized_purposesschema.conditionalfalls back toanyOf(array, boolean, number, object, string)and is hard for API consumers to interpret that it accepts a boolean.This PR siplifies the
schema.conditionaltoschema.maybe(schema.boolean()), generating a clean { type: "boolean" } in the OAS.The runtime cross-field constraint (
include_authorized_purposescan only be false when purpose is set) is preserved by using a new object-level validate function.Schema change, not a behavior change — same valid/invalid requests, same HTTP status codes, clearer error message. Also removes the need for
fixGetSpacesParamsin terraform-provider-elasticstack.Relates to #228077.
Details
get_all.ts(route definition) andget_all.test.ts(updated error message assertion)schema.conditionalused Joi'swhento conditionally restrictinclude_authorized_purposestofalsewhenpurposeis set. The object-levelvalidatefunction preserves this exact constraint.terraform-provider-elasticstackfixGetSpacesParamstransform (which just deletes the degenerate anyOf) becomes a no-op after this changeHow to test this
Run unit tests:
All 13 tests should pass, including the cross-field validation test (purpose + include_authorized_purposes=true → error).
Run full spaces unit suite:
All 642 tests pass.
Verify OAS output: regenerate the snapshot with
node scripts/capture_oas_snapshot --include-path /api/spaces, then checkinclude_authorized_purposesinoas_docs/bundle.json— should be{type: "boolean", required: false}with no anyOf/oneOf.Run spaces API integration tests:
115 passing. Then for security_and_spaces:
611 passing. Cross-field validation still works end-to-end.
Checklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesIdentify risks
This is a low-risk change scoped to OAS output improvement — no runtime behavior change, no API contract change, no data model change.
validatepreserves the exact same constraint: whenpurposeis set,include_authorized_purposescan only befalse. Verified via unit tests and API integration tests (726 tests total).[include_authorized_purposes]: expected value to equal [false]toinclude_authorized_purposes can only be false when purpose is specified. HTTP status (400) is unchanged. Downstream consumers checking exact error text would need updating, but this is an improvement in clarity.fixGetSpacesParamstransform already deletes the anyOf — removing the anyOf at source means the transform becomes a no-op. No negative impact.Co-Authored-By: Claude Opus 4.6